What is personal information and what is confidential information?
- Personal information includes identity documents, driver’s licenses, passports, addresses and contact details among others.
- Confidential information includes usernames, passwords and PIN numbers.
Your personal information can be used by criminals to assume your identity and acquire retail or bank accounts, or even defraud your insurance, medical aid and Unemployment Insurance Fund. In some instances, they impersonate you, and using social engineering, access your bank accounts and do transactions. As some personal information such as your identity number cannot be changed readily, and other personal information such as your home and work addresses are impractical to change, we recommend that you consider the following precautionary measures when you are required to provide personal information for security verification purposes:
- Do not use any information that may have been compromised. Rather use other personal information that you have not used previously to confirm your identity in future.
- Register a new email account. Implement dual authentication for all accounts and products, especially for financial services products.
- Register for SMS notifications to alert you when products and accounts are accessed.
- Conduct regular credit checks to verify whether someone has applied for credit using your personal information and if so, advise the credit grantor immediately.
- Investigate and register for credit related alerts offered by credit bureaus.
- Check your bank statements regularly.
Should you suspect that your data has been compromised, please follow these steps:
1. Where can I check if my data has been compromised in a breach?
- You can check when and where your information may have been compromised on free data breach websites created by cybersecurity experts. These websites aggregate data breach information into a searchable format. All you need to do is check by entering in your email address or your username.
2. Is there somewhere where I can complain if I discover my data is compromised?
- “The Protection of Personal Information Act, 2013 (PPI Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information”
- Should you suspect that there has been interference with the protection of your personal information, you may lodge a complaint with the Information Regulator at complaints.IR@justice.gov.za
3. What are the legal responsibilities towards me by the person that lost my data?
- The party responsible for losing your data is, by law, required to report this to the appropriate regulatory authorities such as the National Credit Regulator and the Information Regulator of the incident. They will be required to report the breach to law enforcement and initiate a formal forensic investigation. Failure to do so or delaying this could result in massive fines or penalties.
- The party responsible is also obliged to tell you that your data has been compromised.
- In addition, they must advise you of the potential risks of the breach as well as the actions that they are taking to mitigate these risks.
- The Protection of Personal Information Act (or POPI Act) is South Africa's sets conditions for responsible parties to lawfully process personal information belonging to individuals.
- The POPI Act stipulates that during the process of collecting personal information, organisations must provide the requisite reasons for obtaining this data but most importantly ensure that it’s shared only with authorised individuals.
- At the moment, organisations are not yet liable to the POPI Act, as organisations have till 1 July 2021 to meet the Act’s various obligations.
- However, when the POPI Act comes int force, businesses that don't comply irrespective of whether it was intentional or accidental will face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
4. What do I do if I discover my identity has be used to create a bank account or subscribe to a service without my consent?
- Immediately report the identity theft to the South African Police Service and the company, bank or financial institution where the fraud occurred.
- If a bank account has been fraudulently opened using your identity, close your existing bank accounts and the bank accounts opened by the thief. Request new accounts and PINs.
- Also, apply immediately for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). This service alerts SAFPS members, which includes banks and credit providers that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder. Consumers wanting to apply for a Protective Registration can visit the SAFPS website – http://www.safps.org.za/ – under the “Fraud Prevention” Tab, click on “Apply for Protective Registration”, and “Register Now”.
- If you have any concerns about your data you can check your credit report by visiting any one of the following credit bureaus websites: TransUnion, Compuscan, Experian, XDS and mycreditcheck. (The first report is for free).
- If your username and password and for your online account has been breached, change these immediately. Use a strong password and remember to also change your security questions and answers. Update usernames and passwords for any other accounts if they were similar to those that were breached as well.
- Remember, never disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.